Re: [Xen-users] UEFI Secure Boot Xen 4.9

Re: [Xen-users] UEFI Secure Boot Xen 4.9

[Daniel Kiper]

Hey,

CC-ing Xen-devel to spread some knowledge about the issue.

On Mon, May 15, 2017 at 10:42:23AM +0100, George Dunlap wrote:
> On Wed, May 10, 2017 at 11:36 PM, Bill Jacobs (billjac)
> <billjac@cisco.com> wrote:
> > Hi all
> >
> > I gather that with 4.9, UEFI secure boot of Xen should be possible.
> >
> > Is this true?
> >
> > If so, what are the options for utilizing UEFI secure boot? Do I need a
> > MSFT-signed shim or grub? Any special changes required for Xen kernel
> > (signing?) or has that been done?
>
> Bill,
>
> I guess in part it depends on what you mean by "utilizing UEFI secure
> boot".  If you simply want to boot an unsigned Xen on a UEFI system
> with SecureBoot enabled, then grub would probably work.  If you want
> to actually do the full SecureBoot thing -- where you have grub check
> Xen's signature and that of the kernel and initrd, you probably need a
> bit more.
>
> Daniel,
>
> Is there any good documentation on this?  The Xen EFI guide
> (https://wiki.xenproject.org/wiki/Xen_EFI) mentions the shim, but
> doesn't go into detail about how to sign a binary &c.

Unfortunately I do not know anything like that. As you said in general
shim is supported. Sadly, it works only if you load xen.efi directly from
EFI. __Upstream__ GRUB2 has not have support for shim yet. I am working
on it (shim support via GRUB2 requires also some changes in Xen). I hope
that I will have something which works before Xen conf in Budapest.

If you wish to use shim with xen.efi then you have to sign xen.efi and
vmlinux with your key using sbsign or pesign. The process works in the same
way like in case vmlinux alone. Of course you have to install your public
key into MOK before enabling secure boot.

Daniel

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [Xen-users] UEFI Secure Boot Xen 4.9

[Bill Jacobs (billjac)]

> -----Original Message-----
> From: Daniel Kiper [mailto:daniel.kiper@oracle.com]
> Sent: Monday, May 15, 2017 6:13 AM
> To: Bill Jacobs (billjac) <billjac@cisco.com>; george.dunlap@citrix.com
> Cc: xen-devel@lists.xen.org; xen-users@lists.xen.org
> Subject: Re: [Xen-users] UEFI Secure Boot Xen 4.9
> 
> Hey,
> 
> CC-ing Xen-devel to spread some knowledge about the issue.
> 
> On Mon, May 15, 2017 at 10:42:23AM +0100, George Dunlap wrote:
> > On Wed, May 10, 2017 at 11:36 PM, Bill Jacobs (billjac)
> > <billjac@cisco.com> wrote:
> > > Hi all
> > >
> > > I gather that with 4.9, UEFI secure boot of Xen should be possible.
> > >
> > > Is this true?
> > >
> > > If so, what are the options for utilizing UEFI secure boot? Do I
> > > need a MSFT-signed shim or grub? Any special changes required for
> > > Xen kernel
> > > (signing?) or has that been done?
> >
> > Bill,
> >
> > I guess in part it depends on what you mean by "utilizing UEFI secure
> > boot".  If you simply want to boot an unsigned Xen on a UEFI system
> > with SecureBoot enabled, then grub would probably work.  If you want
> > to actually do the full SecureBoot thing -- where you have grub check
> > Xen's signature and that of the kernel and initrd, you probably need a
> > bit more.
> >
> > Daniel,
> >
> > Is there any good documentation on this?  The Xen EFI guide
> > (https://wiki.xenproject.org/wiki/Xen_EFI) mentions the shim, but
> > doesn't go into detail about how to sign a binary &c.
> 
> Unfortunately I do not know anything like that. As you said in general shim is
> supported. Sadly, it works only if you load xen.efi directly from EFI.
> __Upstream__ GRUB2 has not have support for shim yet. I am working on it
> (shim support via GRUB2 requires also some changes in Xen). I hope that I will
> have something which works before Xen conf in Budapest.
> 
> If you wish to use shim with xen.efi then you have to sign xen.efi and vmlinux
> with your key using sbsign or pesign. The process works in the same way like in
> case vmlinux alone. Of course you have to install your public key into MOK
> before enabling secure boot.
> 
> Daniel

Yes, there are options in how this is achievable, and the solutions may be different. 

We are targeting a secure boot chain from UEFI fw to .ko, using same signing. 
In our case would skip shim and reduce attack surface, but it appears that the mechanisms 'out there' for passing pub key (cert) from UEFI db to Linux chainring require shim to do the work. Is that accurate? Does it have to be the case? I don't see why. 
For us, ideal case is :
UEFI fw -> (signed)GRUB2.efi->Multiboot2->Xen(signed .ko)

I would be happy to work to help achieve this. 
-Bill


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [Xen-users] UEFI Secure Boot Xen 4.9

[Daniel Kiper]

On Mon, May 15, 2017 at 07:09:54PM +0000, Bill Jacobs (billjac) wrote:
> > -----Original Message-----
> > From: Daniel Kiper [mailto:daniel.kiper@oracle.com]
> > Sent: Monday, May 15, 2017 6:13 AM
> > To: Bill Jacobs (billjac) <billjac@cisco.com>; george.dunlap@citrix.com
> > Cc: xen-devel@lists.xen.org; xen-users@lists.xen.org
> > Subject: Re: [Xen-users] UEFI Secure Boot Xen 4.9
> >
> > Hey,
> >
> > CC-ing Xen-devel to spread some knowledge about the issue.
> >
> > On Mon, May 15, 2017 at 10:42:23AM +0100, George Dunlap wrote:
> > > On Wed, May 10, 2017 at 11:36 PM, Bill Jacobs (billjac)
> > > <billjac@cisco.com> wrote:
> > > > Hi all
> > > >
> > > > I gather that with 4.9, UEFI secure boot of Xen should be possible.
> > > >
> > > > Is this true?
> > > >
> > > > If so, what are the options for utilizing UEFI secure boot? Do I
> > > > need a MSFT-signed shim or grub? Any special changes required for
> > > > Xen kernel
> > > > (signing?) or has that been done?
> > >
> > > Bill,
> > >
> > > I guess in part it depends on what you mean by "utilizing UEFI secure
> > > boot".  If you simply want to boot an unsigned Xen on a UEFI system
> > > with SecureBoot enabled, then grub would probably work.  If you want
> > > to actually do the full SecureBoot thing -- where you have grub check
> > > Xen's signature and that of the kernel and initrd, you probably need a
> > > bit more.
> > >
> > > Daniel,
> > >
> > > Is there any good documentation on this?  The Xen EFI guide
> > > (https://wiki.xenproject.org/wiki/Xen_EFI) mentions the shim, but
> > > doesn't go into detail about how to sign a binary &c.
> >
> > Unfortunately I do not know anything like that. As you said in general shim is
> > supported. Sadly, it works only if you load xen.efi directly from EFI.
> > __Upstream__ GRUB2 has not have support for shim yet. I am working on it
> > (shim support via GRUB2 requires also some changes in Xen). I hope that I will
> > have something which works before Xen conf in Budapest.
> >
> > If you wish to use shim with xen.efi then you have to sign xen.efi and vmlinux
> > with your key using sbsign or pesign. The process works in the same way like in
> > case vmlinux alone. Of course you have to install your public key into MOK
> > before enabling secure boot.
> >
> > Daniel
>
> Yes, there are options in how this is achievable, and the solutions may be different.
>
> We are targeting a secure boot chain from UEFI fw to .ko, using same signing.
> In our case would skip shim and reduce attack surface, but it appears that the mechanisms
> 'out there' for passing pub key (cert) from UEFI db to Linux chainring require shim to do
> the work. Is that accurate? Does it have to be the case? I don't see why.

AIUI, if EFI secure boot is enabled then EFI verifies signatures of every
loaded/executed PE file. Unfortunately, you are not able to use secure boot
protocol directly to verify yourself PE's loaded from your app. So, this is
one of reasons why shim was introduced. It exposes protocol which can be
used by you to do verification.

> For us, ideal case is :
> UEFI fw -> (signed)GRUB2.efi->Multiboot2->Xen(signed .ko)

AFAICT, it is not possible. We should do following thing:

  UEFI -> shim -> GRUB2 -> Multiboot2 -> Xen/Linux/etc.

UEFI will verify shim secure boot signature then shim will verify GRUB2
signature then GRUB2 will verify (with shim protocol) Xen signature and
finally Xen will verify (with shim protocol) Linux kernel signature. Then
your kernel can verify modules using whatever you want.

> I would be happy to work to help achieve this.

There is a chance that I will have something very raw at the beginning
of June. If you wish to do tests drop me a line.

Daniel

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [Xen-users] UEFI Secure Boot Xen 4.9

[Tamas K Lengyel]

On Tue, May 16, 2017 at 5:04 AM, Daniel Kiper <daniel.kiper@oracle.com> wrote:
> On Mon, May 15, 2017 at 07:09:54PM +0000, Bill Jacobs (billjac) wrote:
>> > -----Original Message-----
>> > From: Daniel Kiper [mailto:daniel.kiper@oracle.com]
>> > Sent: Monday, May 15, 2017 6:13 AM
>> > To: Bill Jacobs (billjac) <billjac@cisco.com>; george.dunlap@citrix.com
>> > Cc: xen-devel@lists.xen.org; xen-users@lists.xen.org
>> > Subject: Re: [Xen-users] UEFI Secure Boot Xen 4.9
>> >
>> > Hey,
>> >
>> > CC-ing Xen-devel to spread some knowledge about the issue.
>> >
>> > On Mon, May 15, 2017 at 10:42:23AM +0100, George Dunlap wrote:
>> > > On Wed, May 10, 2017 at 11:36 PM, Bill Jacobs (billjac)
>> > > <billjac@cisco.com> wrote:
>> > > > Hi all
>> > > >
>> > > > I gather that with 4.9, UEFI secure boot of Xen should be possible.
>> > > >
>> > > > Is this true?
>> > > >
>> > > > If so, what are the options for utilizing UEFI secure boot? Do I
>> > > > need a MSFT-signed shim or grub? Any special changes required for
>> > > > Xen kernel
>> > > > (signing?) or has that been done?
>> > >
>> > > Bill,
>> > >
>> > > I guess in part it depends on what you mean by "utilizing UEFI secure
>> > > boot".  If you simply want to boot an unsigned Xen on a UEFI system
>> > > with SecureBoot enabled, then grub would probably work.  If you want
>> > > to actually do the full SecureBoot thing -- where you have grub check
>> > > Xen's signature and that of the kernel and initrd, you probably need a
>> > > bit more.
>> > >
>> > > Daniel,
>> > >
>> > > Is there any good documentation on this?  The Xen EFI guide
>> > > (https://wiki.xenproject.org/wiki/Xen_EFI) mentions the shim, but
>> > > doesn't go into detail about how to sign a binary &c.
>> >
>> > Unfortunately I do not know anything like that. As you said in general shim is
>> > supported. Sadly, it works only if you load xen.efi directly from EFI.
>> > __Upstream__ GRUB2 has not have support for shim yet. I am working on it
>> > (shim support via GRUB2 requires also some changes in Xen). I hope that I will
>> > have something which works before Xen conf in Budapest.
>> >
>> > If you wish to use shim with xen.efi then you have to sign xen.efi and vmlinux
>> > with your key using sbsign or pesign. The process works in the same way like in
>> > case vmlinux alone. Of course you have to install your public key into MOK
>> > before enabling secure boot.
>> >
>> > Daniel
>>
>> Yes, there are options in how this is achievable, and the solutions may be different.
>>
>> We are targeting a secure boot chain from UEFI fw to .ko, using same signing.
>> In our case would skip shim and reduce attack surface, but it appears that the mechanisms
>> 'out there' for passing pub key (cert) from UEFI db to Linux chainring require shim to do
>> the work. Is that accurate? Does it have to be the case? I don't see why.
>
> AIUI, if EFI secure boot is enabled then EFI verifies signatures of every
> loaded/executed PE file. Unfortunately, you are not able to use secure boot
> protocol directly to verify yourself PE's loaded from your app. So, this is
> one of reasons why shim was introduced. It exposes protocol which can be
> used by you to do verification.
>
>> For us, ideal case is :
>> UEFI fw -> (signed)GRUB2.efi->Multiboot2->Xen(signed .ko)
>
> AFAICT, it is not possible. We should do following thing:
>
>   UEFI -> shim -> GRUB2 -> Multiboot2 -> Xen/Linux/etc.
>
> UEFI will verify shim secure boot signature then shim will verify GRUB2
> signature then GRUB2 will verify (with shim protocol) Xen signature and
> finally Xen will verify (with shim protocol) Linux kernel signature. Then
> your kernel can verify modules using whatever you want.
>
>> I would be happy to work to help achieve this.
>
> There is a chance that I will have something very raw at the beginning
> of June. If you wish to do tests drop me a line.

Hi Daniel,
is there any news on this? I would be interested in giving this a shot too.

Thanks,
Tamas

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [Xen-users] UEFI Secure Boot Xen 4.9

[Daniel Kiper]

[-- Attachment #1: Type: text/plain, Size: 1192 bytes --]

Hey Tamas,

Sorry for late reply. I was on vacation.

On Tue, Aug 22, 2017 at 09:01:06PM -0600, Tamas K Lengyel wrote:
> On Tue, May 16, 2017 at 5:04 AM, Daniel Kiper <daniel.kiper@oracle.com> wrote:

[...]

> > UEFI will verify shim secure boot signature then shim will verify GRUB2
> > signature then GRUB2 will verify (with shim protocol) Xen signature and
> > finally Xen will verify (with shim protocol) Linux kernel signature. Then
> > your kernel can verify modules using whatever you want.
> >
> >> I would be happy to work to help achieve this.
> >
> > There is a chance that I will have something very raw at the beginning
> > of June. If you wish to do tests drop me a line.
>
> Hi Daniel,
> is there any news on this? I would be interested in giving this a shot too.

Please look at

  https://lists.xen.org/archives/html/xen-devel/2017-07/msg00982.html

and at

  https://lists.xen.org/archives/html/xen-devel/2017-07/msg00985.html

Attachments contain the same patches as above but rebased on latest
GRUB2 and Xen git repositories.

Due to some travel I am going to restart work on this in the second
half of September.

If you have any questions please drop me a line.

Daniel

[-- Attachment #2: 0001-efi-Add-EFI-shim-lock-verifier.patch --]
[-- Type: text/x-diff, Size: 4023 bytes --]

>From 8458d7904886ca4bea059d103dac2ba50e53c13b Mon Sep 17 00:00:00 2001
From: Daniel Kiper <daniel.kiper@oracle.com>
Date: Sat, 8 Jul 2017 23:32:36 +0200
Subject: [PATCH] efi: Add EFI shim lock verifier

This is based on git://git.savannah.gnu.org/grub.git phcoder/verifiers branch.

Just an RFC.

TODO:
  - disable the GRUB2 modules load/unload,
  - disable the dangerous modules, e.g. iorw, memrw.

Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com>
---
 grub-core/Makefile.core.def        |    6 +++
 grub-core/commands/efi/shim_lock.c |  100 ++++++++++++++++++++++++++++++++++++
 2 files changed, 106 insertions(+)
 create mode 100644 grub-core/commands/efi/shim_lock.c

diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
index 16c4d0e..c38e4a8 100644
--- a/grub-core/Makefile.core.def
+++ b/grub-core/Makefile.core.def
@@ -905,6 +905,12 @@ module = {
 };
 
 module = {
+  name = shim_lock;
+  common = commands/efi/shim_lock.c;
+  enable = x86_64_efi;
+};
+
+module = {
   name = hdparm;
   common = commands/hdparm.c;
   common = lib/hexdump.c;
diff --git a/grub-core/commands/efi/shim_lock.c b/grub-core/commands/efi/shim_lock.c
new file mode 100644
index 0000000..40d2b25
--- /dev/null
+++ b/grub-core/commands/efi/shim_lock.c
@@ -0,0 +1,100 @@
+/*
+ *  GRUB  --  GRand Unified Bootloader
+ *  Copyright (C) 2017  Free Software Foundation, Inc.
+ *
+ *  GRUB is free software: you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation, either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  GRUB is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with GRUB.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ *  EFI shim lock verifier.
+ *
+ */
+
+#include <grub/dl.h>
+#include <grub/efi/efi.h>
+#include <grub/err.h>
+#include <grub/file.h>
+#include <grub/verify.h>
+
+GRUB_MOD_LICENSE ("GPLv3+");
+
+#define GRUB_EFI_SHIM_LOCK_GUID \
+  { 0x605dab50, 0xe046, 0x4300, \
+    { 0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23 } \
+  }
+
+struct grub_efi_shim_lock_protocol
+{
+  grub_efi_status_t
+  (*verify) (void *buffer,
+	     grub_uint32_t size);
+};
+typedef struct grub_efi_shim_lock_protocol grub_efi_shim_lock_protocol_t;
+
+static grub_efi_guid_t shim_lock_guid = GRUB_EFI_SHIM_LOCK_GUID;
+static grub_efi_shim_lock_protocol_t *sl;
+
+static grub_err_t
+shim_lock_init (grub_file_t io __attribute__ ((unused)), enum grub_file_type type,
+	       void **context __attribute__ ((unused)), enum grub_verify_flags *flags)
+{
+  *flags = GRUB_VERIFY_FLAGS_SKIP_VERIFICATION;
+
+  if (!sl)
+    return GRUB_ERR_NONE;
+
+  switch (type & GRUB_FILE_TYPE_MASK)
+    {
+    case GRUB_FILE_TYPE_LINUX_KERNEL:
+    case GRUB_FILE_TYPE_MULTIBOOT_KERNEL:
+    case GRUB_FILE_TYPE_BSD_KERNEL:
+    case GRUB_FILE_TYPE_XNU_KERNEL:
+    case GRUB_FILE_TYPE_PLAN9_KERNEL:
+      *flags = GRUB_VERIFY_FLAGS_SINGLE_CHUNK;
+
+    default:
+      return GRUB_ERR_NONE;
+    }
+}
+
+static grub_err_t
+shim_lock_write (void *context __attribute__ ((unused)), void *buf, grub_size_t size)
+{
+  if (sl->verify (buf, size) != GRUB_EFI_SUCCESS)
+    return grub_error (GRUB_ERR_BAD_SIGNATURE, N_("bad shim signature"));
+
+  return GRUB_ERR_NONE;
+}
+
+static void
+shim_lock_close (void *context __attribute__ ((unused)))
+{
+}
+
+struct grub_file_verifier shim_lock =
+  {
+    .name = "shim_lock",
+    .init = shim_lock_init,
+    .write = shim_lock_write,
+    .close = shim_lock_close
+  };
+
+GRUB_MOD_INIT(shim_lock)
+{
+  sl = grub_efi_locate_protocol (&shim_lock_guid, 0);
+  grub_verifier_register (&shim_lock);
+}
+
+GRUB_MOD_FINI(shim_lock)
+{
+  grub_verifier_unregister (&shim_lock);
+}
-- 
1.7.10.4


[-- Attachment #3: xen_mb2_efi_sb_rfc_rebase_20170829.tgz --]
[-- Type: application/x-gtar-compressed, Size: 7869 bytes --]

[-- Attachment #4: Type: text/plain, Size: 127 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [Xen-users] UEFI Secure Boot Xen 4.9

[Tamas K Lengyel]

On Tue, Aug 29, 2017 at 2:01 PM, Daniel Kiper <daniel.kiper@oracle.com> wrote:
> Hey Tamas,
>
> Sorry for late reply. I was on vacation.
>
> On Tue, Aug 22, 2017 at 09:01:06PM -0600, Tamas K Lengyel wrote:
>> On Tue, May 16, 2017 at 5:04 AM, Daniel Kiper <daniel.kiper@oracle.com> wrote:
>
> [...]
>
>> > UEFI will verify shim secure boot signature then shim will verify GRUB2
>> > signature then GRUB2 will verify (with shim protocol) Xen signature and
>> > finally Xen will verify (with shim protocol) Linux kernel signature. Then
>> > your kernel can verify modules using whatever you want.
>> >
>> >> I would be happy to work to help achieve this.
>> >
>> > There is a chance that I will have something very raw at the beginning
>> > of June. If you wish to do tests drop me a line.
>>
>> Hi Daniel,
>> is there any news on this? I would be interested in giving this a shot too.
>
> Please look at
>
>   https://lists.xen.org/archives/html/xen-devel/2017-07/msg00982.html
>
> and at
>
>   https://lists.xen.org/archives/html/xen-devel/2017-07/msg00985.html
>
> Attachments contain the same patches as above but rebased on latest
> GRUB2 and Xen git repositories.
>
> Due to some travel I am going to restart work on this in the second
> half of September.
>
> If you have any questions please drop me a line.
>

Hi Daniel,
thanks for the update, I'll give it a shot today to set it up. In a
somewhat related note, are you aware of any work on getting secure
boot + UEFI working in a guest? There is a PoC patch on OpenXT
(https://github.com/OpenXT/xenclient-oe/pull/729) but was wondering if
there are any parallel efforts ongoing.

Thanks,
Tamas

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [Xen-users] UEFI Secure Boot Xen 4.9

[Daniel Kiper]

On Wed, Aug 30, 2017 at 10:16:23AM -0600, Tamas K Lengyel wrote:
> On Tue, Aug 29, 2017 at 2:01 PM, Daniel Kiper <daniel.kiper@oracle.com> wrote:
> > Hey Tamas,
> >
> > Sorry for late reply. I was on vacation.
> >
> > On Tue, Aug 22, 2017 at 09:01:06PM -0600, Tamas K Lengyel wrote:
> >> On Tue, May 16, 2017 at 5:04 AM, Daniel Kiper <daniel.kiper@oracle.com> wrote:
> >
> > [...]
> >
> >> > UEFI will verify shim secure boot signature then shim will verify GRUB2
> >> > signature then GRUB2 will verify (with shim protocol) Xen signature and
> >> > finally Xen will verify (with shim protocol) Linux kernel signature. Then
> >> > your kernel can verify modules using whatever you want.
> >> >
> >> >> I would be happy to work to help achieve this.
> >> >
> >> > There is a chance that I will have something very raw at the beginning
> >> > of June. If you wish to do tests drop me a line.
> >>
> >> Hi Daniel,
> >> is there any news on this? I would be interested in giving this a shot too.
> >
> > Please look at
> >
> >   https://lists.xen.org/archives/html/xen-devel/2017-07/msg00982.html
> >
> > and at
> >
> >   https://lists.xen.org/archives/html/xen-devel/2017-07/msg00985.html
> >
> > Attachments contain the same patches as above but rebased on latest
> > GRUB2 and Xen git repositories.
> >
> > Due to some travel I am going to restart work on this in the second
> > half of September.
> >
> > If you have any questions please drop me a line.
> >
>
> Hi Daniel,
> thanks for the update, I'll give it a shot today to set it up. In a
> somewhat related note, are you aware of any work on getting secure
> boot + UEFI working in a guest? There is a PoC patch on OpenXT
> (https://github.com/OpenXT/xenclient-oe/pull/729) but was wondering if
> there are any parallel efforts ongoing.

I do not follow this issue in detail. However, I suppose that if OVMF
supports UEFI secure boot (well, QEMU has to enable SMM support too;
I do not know does it work with Xen or not) then guest should work
without any issue. Just guessing...

Daniel

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [Xen-users] UEFI Secure Boot Xen 4.9

[Tamas K Lengyel]

On Mon, Sep 4, 2017 at 6:40 AM, Daniel Kiper <daniel.kiper@oracle.com> wrote:
> On Wed, Aug 30, 2017 at 10:16:23AM -0600, Tamas K Lengyel wrote:
>> On Tue, Aug 29, 2017 at 2:01 PM, Daniel Kiper <daniel.kiper@oracle.com> wrote:
>> > Hey Tamas,
>> >
>> > Sorry for late reply. I was on vacation.
>> >
>> > On Tue, Aug 22, 2017 at 09:01:06PM -0600, Tamas K Lengyel wrote:
>> >> On Tue, May 16, 2017 at 5:04 AM, Daniel Kiper <daniel.kiper@oracle.com> wrote:
>> >
>> > [...]
>> >
>> >> > UEFI will verify shim secure boot signature then shim will verify GRUB2
>> >> > signature then GRUB2 will verify (with shim protocol) Xen signature and
>> >> > finally Xen will verify (with shim protocol) Linux kernel signature. Then
>> >> > your kernel can verify modules using whatever you want.
>> >> >
>> >> >> I would be happy to work to help achieve this.
>> >> >
>> >> > There is a chance that I will have something very raw at the beginning
>> >> > of June. If you wish to do tests drop me a line.
>> >>
>> >> Hi Daniel,
>> >> is there any news on this? I would be interested in giving this a shot too.
>> >
>> > Please look at
>> >
>> >   https://lists.xen.org/archives/html/xen-devel/2017-07/msg00982.html
>> >
>> > and at
>> >
>> >   https://lists.xen.org/archives/html/xen-devel/2017-07/msg00985.html
>> >
>> > Attachments contain the same patches as above but rebased on latest
>> > GRUB2 and Xen git repositories.
>> >
>> > Due to some travel I am going to restart work on this in the second
>> > half of September.
>> >
>> > If you have any questions please drop me a line.
>> >
>>
>> Hi Daniel,
>> thanks for the update, I'll give it a shot today to set it up. In a
>> somewhat related note, are you aware of any work on getting secure
>> boot + UEFI working in a guest? There is a PoC patch on OpenXT
>> (https://github.com/OpenXT/xenclient-oe/pull/729) but was wondering if
>> there are any parallel efforts ongoing.
>
> I do not follow this issue in detail. However, I suppose that if OVMF
> supports UEFI secure boot (well, QEMU has to enable SMM support too;
> I do not know does it work with Xen or not) then guest should work
> without any issue. Just guessing...
>

Sure, was just wondering if you are aware of anyone looking at that.

In other news I was able to get your patches working and have been
able to boot with Secure boot enabled as far as shim -> signed grub ->
signed linux without initrd. If I boot a signed version of Xen from
grub it goes as far as setup_efi_pci but then the system reboots
without anything else being printed on the screen. I haven't been able
to debug it any further yet.

Tamas

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [Xen-users] UEFI Secure Boot Xen 4.9

[Tamas K Lengyel]

On Tue, Sep 5, 2017 at 12:26 PM, Tamas K Lengyel
<tamas.k.lengyel@gmail.com> wrote:
> On Mon, Sep 4, 2017 at 6:40 AM, Daniel Kiper <daniel.kiper@oracle.com> wrote:
>> On Wed, Aug 30, 2017 at 10:16:23AM -0600, Tamas K Lengyel wrote:
>>> On Tue, Aug 29, 2017 at 2:01 PM, Daniel Kiper <daniel.kiper@oracle.com> wrote:
>>> > Hey Tamas,
>>> >
>>> > Sorry for late reply. I was on vacation.
>>> >
>>> > On Tue, Aug 22, 2017 at 09:01:06PM -0600, Tamas K Lengyel wrote:
>>> >> On Tue, May 16, 2017 at 5:04 AM, Daniel Kiper <daniel.kiper@oracle.com> wrote:
>>> >
>>> > [...]
>>> >
>>> >> > UEFI will verify shim secure boot signature then shim will verify GRUB2
>>> >> > signature then GRUB2 will verify (with shim protocol) Xen signature and
>>> >> > finally Xen will verify (with shim protocol) Linux kernel signature. Then
>>> >> > your kernel can verify modules using whatever you want.
>>> >> >
>>> >> >> I would be happy to work to help achieve this.
>>> >> >
>>> >> > There is a chance that I will have something very raw at the beginning
>>> >> > of June. If you wish to do tests drop me a line.
>>> >>
>>> >> Hi Daniel,
>>> >> is there any news on this? I would be interested in giving this a shot too.
>>> >
>>> > Please look at
>>> >
>>> >   https://lists.xen.org/archives/html/xen-devel/2017-07/msg00982.html
>>> >
>>> > and at
>>> >
>>> >   https://lists.xen.org/archives/html/xen-devel/2017-07/msg00985.html
>>> >
>>> > Attachments contain the same patches as above but rebased on latest
>>> > GRUB2 and Xen git repositories.
>>> >
>>> > Due to some travel I am going to restart work on this in the second
>>> > half of September.
>>> >
>>> > If you have any questions please drop me a line.
>>> >
>>>
>>> Hi Daniel,
>>> thanks for the update, I'll give it a shot today to set it up. In a
>>> somewhat related note, are you aware of any work on getting secure
>>> boot + UEFI working in a guest? There is a PoC patch on OpenXT
>>> (https://github.com/OpenXT/xenclient-oe/pull/729) but was wondering if
>>> there are any parallel efforts ongoing.
>>
>> I do not follow this issue in detail. However, I suppose that if OVMF
>> supports UEFI secure boot (well, QEMU has to enable SMM support too;
>> I do not know does it work with Xen or not) then guest should work
>> without any issue. Just guessing...
>>
>
> Sure, was just wondering if you are aware of anyone looking at that.
>
> In other news I was able to get your patches working and have been
> able to boot with Secure boot enabled as far as shim -> signed grub ->
> signed linux without initrd. If I boot a signed version of Xen from
> grub it goes as far as setup_efi_pci but then the system reboots
> without anything else being printed on the screen. I haven't been able
> to debug it any further yet.
>

Daniel,
just FYI the xen.mb.efi generated with your patches causes pesign to segfault:

cms_pe_common.c:generate_digest:198 PE section ".text" has invalid address
Segmentation fault

Tamas

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [Xen-users] UEFI Secure Boot Xen 4.9

[Daniel Kiper]

On Mon, Sep 18, 2017 at 11:24:15AM -0400, Tamas K Lengyel wrote:
> On Tue, Sep 5, 2017 at 12:26 PM, Tamas K Lengyel
> <tamas.k.lengyel@gmail.com> wrote:
> > On Mon, Sep 4, 2017 at 6:40 AM, Daniel Kiper <daniel.kiper@oracle.com> wrote:
> >> On Wed, Aug 30, 2017 at 10:16:23AM -0600, Tamas K Lengyel wrote:
> >>> On Tue, Aug 29, 2017 at 2:01 PM, Daniel Kiper <daniel.kiper@oracle.com> wrote:
> >>> > Hey Tamas,
> >>> >
> >>> > Sorry for late reply. I was on vacation.
> >>> >
> >>> > On Tue, Aug 22, 2017 at 09:01:06PM -0600, Tamas K Lengyel wrote:
> >>> >> On Tue, May 16, 2017 at 5:04 AM, Daniel Kiper <daniel.kiper@oracle.com> wrote:
> >>> >
> >>> > [...]
> >>> >
> >>> >> > UEFI will verify shim secure boot signature then shim will verify GRUB2
> >>> >> > signature then GRUB2 will verify (with shim protocol) Xen signature and
> >>> >> > finally Xen will verify (with shim protocol) Linux kernel signature. Then
> >>> >> > your kernel can verify modules using whatever you want.
> >>> >> >
> >>> >> >> I would be happy to work to help achieve this.
> >>> >> >
> >>> >> > There is a chance that I will have something very raw at the beginning
> >>> >> > of June. If you wish to do tests drop me a line.
> >>> >>
> >>> >> Hi Daniel,
> >>> >> is there any news on this? I would be interested in giving this a shot too.
> >>> >
> >>> > Please look at
> >>> >
> >>> >   https://lists.xen.org/archives/html/xen-devel/2017-07/msg00982.html
> >>> >
> >>> > and at
> >>> >
> >>> >   https://lists.xen.org/archives/html/xen-devel/2017-07/msg00985.html
> >>> >
> >>> > Attachments contain the same patches as above but rebased on latest
> >>> > GRUB2 and Xen git repositories.
> >>> >
> >>> > Due to some travel I am going to restart work on this in the second
> >>> > half of September.
> >>> >
> >>> > If you have any questions please drop me a line.
> >>> >
> >>>
> >>> Hi Daniel,
> >>> thanks for the update, I'll give it a shot today to set it up. In a
> >>> somewhat related note, are you aware of any work on getting secure
> >>> boot + UEFI working in a guest? There is a PoC patch on OpenXT
> >>> (https://github.com/OpenXT/xenclient-oe/pull/729) but was wondering if
> >>> there are any parallel efforts ongoing.
> >>
> >> I do not follow this issue in detail. However, I suppose that if OVMF
> >> supports UEFI secure boot (well, QEMU has to enable SMM support too;
> >> I do not know does it work with Xen or not) then guest should work
> >> without any issue. Just guessing...
> >>
> >
> > Sure, was just wondering if you are aware of anyone looking at that.
> >
> > In other news I was able to get your patches working and have been
> > able to boot with Secure boot enabled as far as shim -> signed grub ->
> > signed linux without initrd. If I boot a signed version of Xen from
> > grub it goes as far as setup_efi_pci but then the system reboots
> > without anything else being printed on the screen. I haven't been able
> > to debug it any further yet.
> >
>
> Daniel,
> just FYI the xen.mb.efi generated with your patches causes pesign to segfault:
>
> cms_pe_common.c:generate_digest:198 PE section ".text" has invalid address
> Segmentation fault

Thank you for doing the tests. I am going to restart work on this next week
and post next version of patches in October. I will try to fix all issues
spotted by you. Stay tuned...

Daniel

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [Xen-users] UEFI Secure Boot Xen 4.9

[Bill Jacobs (billjac)]

Hi
What is the status of creating a shim to abstract secure boot signing for Xen (to leverage MSFT 3rd party, e.g)?
Thanks
-Bill

> -----Original Message-----
> From: Daniel Kiper [mailto:daniel.kiper@oracle.com]
> Sent: Tuesday, May 16, 2017 4:05 AM
> To: Bill Jacobs (billjac) <billjac@cisco.com>
> Cc: george.dunlap@citrix.com; xen-devel@lists.xen.org; xen-
> users@lists.xen.org
> Subject: Re: [Xen-users] UEFI Secure Boot Xen 4.9
> 
> On Mon, May 15, 2017 at 07:09:54PM +0000, Bill Jacobs (billjac) wrote:
> > > -----Original Message-----
> > > From: Daniel Kiper [mailto:daniel.kiper@oracle.com]
> > > Sent: Monday, May 15, 2017 6:13 AM
> > > To: Bill Jacobs (billjac) <billjac@cisco.com>;
> > > george.dunlap@citrix.com
> > > Cc: xen-devel@lists.xen.org; xen-users@lists.xen.org
> > > Subject: Re: [Xen-users] UEFI Secure Boot Xen 4.9
> > >
> > > Hey,
> > >
> > > CC-ing Xen-devel to spread some knowledge about the issue.
> > >
> > > On Mon, May 15, 2017 at 10:42:23AM +0100, George Dunlap wrote:
> > > > On Wed, May 10, 2017 at 11:36 PM, Bill Jacobs (billjac)
> > > > <billjac@cisco.com> wrote:
> > > > > Hi all
> > > > >
> > > > > I gather that with 4.9, UEFI secure boot of Xen should be possible.
> > > > >
> > > > > Is this true?
> > > > >
> > > > > If so, what are the options for utilizing UEFI secure boot? Do I
> > > > > need a MSFT-signed shim or grub? Any special changes required
> > > > > for Xen kernel
> > > > > (signing?) or has that been done?
> > > >
> > > > Bill,
> > > >
> > > > I guess in part it depends on what you mean by "utilizing UEFI
> > > > secure boot".  If you simply want to boot an unsigned Xen on a
> > > > UEFI system with SecureBoot enabled, then grub would probably
> > > > work.  If you want to actually do the full SecureBoot thing --
> > > > where you have grub check Xen's signature and that of the kernel
> > > > and initrd, you probably need a bit more.
> > > >
> > > > Daniel,
> > > >
> > > > Is there any good documentation on this?  The Xen EFI guide
> > > > (https://wiki.xenproject.org/wiki/Xen_EFI) mentions the shim, but
> > > > doesn't go into detail about how to sign a binary &c.
> > >
> > > Unfortunately I do not know anything like that. As you said in
> > > general shim is supported. Sadly, it works only if you load xen.efi directly
> from EFI.
> > > __Upstream__ GRUB2 has not have support for shim yet. I am working
> > > on it (shim support via GRUB2 requires also some changes in Xen). I
> > > hope that I will have something which works before Xen conf in Budapest.
> > >
> > > If you wish to use shim with xen.efi then you have to sign xen.efi
> > > and vmlinux with your key using sbsign or pesign. The process works
> > > in the same way like in case vmlinux alone. Of course you have to
> > > install your public key into MOK before enabling secure boot.
> > >
> > > Daniel
> >
> > Yes, there are options in how this is achievable, and the solutions may be
> different.
> >
> > We are targeting a secure boot chain from UEFI fw to .ko, using same signing.
> > In our case would skip shim and reduce attack surface, but it appears
> > that the mechanisms 'out there' for passing pub key (cert) from UEFI
> > db to Linux chainring require shim to do the work. Is that accurate? Does it
> have to be the case? I don't see why.
> 
> AIUI, if EFI secure boot is enabled then EFI verifies signatures of every
> loaded/executed PE file. Unfortunately, you are not able to use secure boot
> protocol directly to verify yourself PE's loaded from your app. So, this is one of
> reasons why shim was introduced. It exposes protocol which can be used by
> you to do verification.
> 
> > For us, ideal case is :
> > UEFI fw -> (signed)GRUB2.efi->Multiboot2->Xen(signed .ko)
> 
> AFAICT, it is not possible. We should do following thing:
> 
>   UEFI -> shim -> GRUB2 -> Multiboot2 -> Xen/Linux/etc.
> 
> UEFI will verify shim secure boot signature then shim will verify GRUB2
> signature then GRUB2 will verify (with shim protocol) Xen signature and finally
> Xen will verify (with shim protocol) Linux kernel signature. Then your kernel
> can verify modules using whatever you want.
> 
> > I would be happy to work to help achieve this.
> 
> There is a chance that I will have something very raw at the beginning of June.
> If you wish to do tests drop me a line.
> 
> Daniel

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [Xen-users] UEFI Secure Boot Xen 4.9

[Daniel Kiper]

On Thu, Oct 12, 2017 at 05:03:13PM +0000, Bill Jacobs (billjac) wrote:
> Hi
> What is the status of creating a shim to abstract secure boot
> signing for Xen (to leverage MSFT 3rd party, e.g)?

xen.efi works with shim itself out of the box. If you wish
to use shim and GRUB2 to load Xen you have to look at these
RFC patch series:
  - https://lists.xen.org/archives/html/xen-devel/2017-07/msg00982.html
  - https://lists.xen.org/archives/html/xen-devel/2017-07/msg00985.html

I am slowly going back to this work. So, I hope that it will
be taken into Xen 4.11 or so.

Daniel

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel